- All
- IT Services
- Information Security
Powered by AI and the LinkedIn community
1
Choose the right type of key
2
Generate strong and random keys
3
Store keys in a secure location
4
Rotate and revoke keys periodically
5
Follow the principle of least privilege
6
Educate and train your staff
7
Here’s what else to consider
Encryption keys are the secret codes that protect your data from unauthorized access. They are essential for cryptography and encryption, which are the methods of transforming data into unreadable formats and back again. But how do you securely manage and store your encryption keys? In this article, you will learn some best practices and tips to keep your keys safe and accessible.
Top experts in this article
Selected by the community from 42 contributions. Learn more
Earn a Community Top Voice badge
Add to collaborative articles to get recognized for your expertise on your profile. Learn more
- Rohit Goel Senior Staff Security Engineer | Ex-VMware | CISSP | CCSP | AWS Security | CKS | HCVA * Views expressed are personal…
3
- Ameya Sohoni Lead Information Security Engineer at Mastercard
5
1 Choose the right type of key
There are different types of encryption keys, depending on the purpose and the algorithm. Some common ones are symmetric keys, asymmetric keys, and key pairs. Symmetric keys are used to encrypt and decrypt data with the same key, while asymmetric keys use a public key to encrypt and a private key to decrypt. Key pairs are a combination of a public and a private key, often used for digital signatures and authentication. You should choose the type of key that suits your needs and the level of security you require.
Help others by sharing more (125 characters min.)
- Ameya Sohoni Lead Information Security Engineer at Mastercard
With my experience on Cryptography implementations, the scope of choosing an encryption key is now dependent solely on data to be protected.1. Symmetric Encryption Keys are used for rapid crypto operations with small amounts of data to be protected e.g. a sensitive field or JSON document.2. Asymmetric Encryption Keys are used greatly for authentication, integrity check, key exchange rather than data encryption due to their slower processing and larger key size nature.With the challenges around both schemes,An architect is required to consider below questions before choosing1. What type and quantity of data2. At Rest or In Transit3. How many parties require access to the key4. Cryptographic operation to be performedThanks,
LikeLike
Celebrate
Support
Love
Insightful
Funny
5
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Pravesh Kumar Sharma CISSP | RHCE | CTIA | PCEAS
Till now industry moved very well using combination of symmetric + asymmetric. Qunatum computing is coming into picture. There are qubits capable enough to break the modern day cipher. we were using 0 & 1 in our day-to-day machines. we increased the permutation such that a normal machine took million of years to crack 128 bit aes cipher. FPGAs with government power will further reduce it to 3 months or more. so we practically change keys quarterly. qunatum will further reduce this gap.We will be required encryption utilizing same quantum computing because breaking is fast, encryption would also be.
LikeLike
Celebrate
Support
Love
Insightful
Funny
4
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Ravi Kumar Dasari (M.B.A, PMP®,CRISC®) Group Technology Risk and Tech Risk Integration Lead at UBS Singapore
I agree that the choice between symmetric and asymmetric encryption keys depends on the specific use case. Use symmetric encryption for faster performance and encrypting large data volumes. For instance, AES is commonly used to secure files or data at rest.Use asymmetric encryption for secure communication and authentication. For example, SSL/TLS employs asymmetric keys to establish secure connections between web browsers and servers.In many cases, a hybrid approach combining both types provides an effective balance of speed and security.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Samir Patani LTS Secure SIEM | SOAR | Cybersecurity
Use a Hardware Security Module (HSM).Encrypt your encryption keys themselves Role-Based Access Control.Divide key management responsibilities among different individuals .Regular Key Rotation.Strong Authentication.Maintain detailed logs of all key management activities for monitoring and accountability purposes.Ensure that physical access to key management infrastructure is restricted and monitored.When transmitting keys, use secure channels such as encrypted connections (SSL/TLS) or secure file transfer protocols.Consider storing encryption keys offline in a secure, isolated environment.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
-
Encryption ecosystem works on two models based on two algorithm Symmetric & Asymmetric.Symmetric Algorithms generate a single key used for both Encryption and Decryption.Asymmetric Algorithms generate a key pair (Public & Private key) where the Encryption done by one key can be Decrypted the corresponding key only. Asymmetric algorithm are a bit slow in nature but are very useful when the key needs to be transferred through an unsecured channel.Eg: HTTPS , Certificates, PKI.Symmetric algos can be used in a trusted environment only hence we send Public key of Asymmetric algo to the intended recipient and then use Private key to encrypt and send the Symmetric key securely. The recipient use Public key to decrypt the Symmetric key.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Load more contributions
2 Generate strong and random keys
The strength of your encryption keys depends on their length and randomness. Longer keys are harder to crack, as they have more possible combinations. Random keys are more unpredictable, as they do not follow any pattern or logic. You should use a secure and reliable tool to generate your keys, such as a cryptographic library or a hardware device. Avoid using weak or predictable sources, such as passwords, names, or dates.
Help others by sharing more (125 characters min.)
-
But the tool to generate your keys also requires some verification and validation - proven and accepted by industry standards and frameworks. The tool should be trustworthy and free of flaws or backdoors that could compromise the security or quality of the keys. You should always check the source and the reputation of the tool before using it, and avoid using tools from unknown or dubious vendors or providers.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Ravi Kumar Dasari (M.B.A, PMP®,CRISC®) Group Technology Risk and Tech Risk Integration Lead at UBS Singapore
Generating strong and random encryption keys is crucial for security. To achieve this, we can use a cryptographically secure random number generator (CSPRNG). For symmetric keys, tools like OpenSSL or libraries like Python's secrets module can help. For asymmetric keys, we can utilize libraries like OpenSSL or OpenSSH. It is important to follow best practices, such as using sufficient entropy sources and periodically refreshing keys for enhanced security.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Load more contributions
3 Store keys in a secure location
The location where you store your keys is crucial for their security. You should store your keys in a place that is isolated from the data they protect, and that has restricted access and strong encryption. Some options are hardware security modules (HSMs), cloud key management services (KMSs), or encrypted files or databases. You should also backup your keys regularly and keep them in a separate location, in case of loss or damage.
Help others by sharing more (125 characters min.)
- Harry Ngai CISO | Advisor | Educator
It's essential to highlight the strategic balance between accessibility and security. Balancing Key Storage:- Hardware Security Modules (HSMs): - Pros: Offers a secure, physical location for encryption keys. - Cons: Requires physical maintenance and management.- Cloud Key Management Systems (KMSs): - Pros: Provides flexibility with remote access, quick scalability, and integrated backups. - Cons: Increases the potential threat surface, necessitating strict security protocols.Backup strategy is crucial if key storage extends beyond mere location: - Cyclic: Regular backups, not one-time. - Tested: Confirm backup functionality. - Secure: Match primary storage security levels.
LikeLike
Celebrate
Support
Love
Insightful
Funny
5
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Ali Amiri Senior Network Security Engineer @ Ip.Glass | Information Technology Master's
Most standards ask you to use HSMs and they do not accept KMSs but as you know the HSM solutions are very expensive for small businesses so they use KMSs.For backup also you should have HA plan for you HSMs or KMSs
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
(edited)
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Levy Olvera Information Security Architect
I've seeing a lot of trouble when implementing PKI, specially at the moment of deciding where to storage, cloud base, onprem, hybrid. And whom should be the keeper of the whole approach. Least privileged and need to know are no sufficient in most cases. My suggest is to define approach, approval method to generate, share/keep/store and rapidly replace if compromised.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
-
For a cloud customer it always beneficial to opt for BYOk in order to safeguard their data and invoke keys as and when desired for case like cloud exits and migration
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
-
This is an essential requirement, but it also poses some challenges and opportunities. The key storage location should be physically and logically secure from unauthorized access or tampering, but also accessible and recoverable in case of need or emergency. Some options are hardware security modules (HSMs), cloud key management services (KMSs), or encrypted files or databases. Each option has its own advantages and disadvantages, depending on the cost, convenience, and control.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Load more contributions
4 Rotate and revoke keys periodically
Encryption keys have a lifespan, and they should be changed or replaced periodically to prevent compromise or expiration. You should establish a key rotation policy that defines how often and under what circ*mstances you will update your keys. You should also have a key revocation policy that specifies how you will disable or delete keys that are no longer needed or that have been compromised. You should monitor and audit your keys regularly to detect any anomalies or breaches.
Help others by sharing more (125 characters min.)
- Viswanth Prabhakaran, CISSP, ISMS LA, CCNA SECURITY Third Party Risk Manager at Celestica
Enable the log monitoring (for instance ingesting with SIEM) and audit the keys if it's no longer needed, delete themKey rotation should happen atleast every 3 month once
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Ali Amiri Senior Network Security Engineer @ Ip.Glass | Information Technology Master's
It is hard work because keys usually are used by a lot of teams. So managing the distribution of keys and also changing them regularly is the hardest part.Some developers hard code the keys in their code and sometimes you need an awareness program to educate them.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
-
This is a best practice, but it also requires careful planning and coordination. The key rotation policy should balance the security and availability of the system, and avoid causing any disruption or incompatibility. The key rotation should be synchronized across all the parties and systems involved, ensuring that everyone has the most updated version of the keys. The key rotation frequency and triggers should depend on the risk level and usage pattern of the keys.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
-
Key Splitting:Key splitting involves dividing an encryption key into multiple parts, or "shares," which are distributed to different individuals or systems. The original key can only be reconstructed when a sufficient number of shares are combined together. This technique adds an extra layer of security, as an attacker would need to compromise multiple entities to reconstruct the complete key.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Jose Rivera Head of Information Security at Rever, Inc
Key rotations would ideally be planned according to internal security management policies. While some keys may be easily changed periodically, others might require additional steps or increased complexity (production or mission critical services) that might not adjust to these defined policies. Unless the processes want to be modified whole, adding exceptions for such cases to the documentation and to the risk assessments will ensure that you stay compliant with regulations. Such exceptions should include the different steps and time-frames in which these specific rotations will happen.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Load more contributions
5 Follow the principle of least privilege
The principle of least privilege means that you should only grant the minimum level of access and permissions to your keys that are necessary for the intended function. You should limit the number of people and systems that can access, use, or modify your keys, and enforce strict authentication and authorization mechanisms. You should also segregate your keys according to their sensitivity and purpose, and apply different security policies and controls accordingly.
Help others by sharing more (125 characters min.)
- Dr. Stanley Mwangi Chege PhD CEO, Author, Keynote Speaker at Digital Transformation Experts Ltd
The principle of least privilege ensures that users are only granted the access rights they need to accomplish their business operations and needs. It prevents users receiving excess privileges that they may use to subvert a process or commit fraud. It is a simple and very effective control. User access rights should be reviewed periodically for effective access control and data security.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Christopher ANORUO Cyber Security Advisor and Enterprise IT Director
Micro Token Exchange technology solution initially replaces any size of file or data element with a MicroToken that serves as a placeholder for the original data. The original data is encrypted and broken apart into many segments whether at rest or in transit. Let us first examine the concept of trust. Standard security protocols require that you have trust entities your organization does not control. You must trust the OS, you must trust the certificate authority, you must trust the network, you must trust the device the client is using, and the list goes on. By embedding data security within your application, the data can be secured as soon as it exists, and your application can be 100% in control of ensuring it is never exposed.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
-
This is a sensible principle, but it also demands a high level of security awareness and discipline. The access and permissions to the keys should follow the principle of least privilege, which means that only the minimum level of access and permissions that are necessary for the intended function are granted. The access and permissions should also be monitored and audited regularly to detect any anomalies or breaches. The authentication and authorization mechanisms should be strong and secure, such as passwords, tokens, certificates, or biometrics.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Ravi Kumar Dasari (M.B.A, PMP®,CRISC®) Group Technology Risk and Tech Risk Integration Lead at UBS Singapore
Upholding the principle of least privilege in encryption key management is essential for strong security. For instance a) In Azure, assign precise permissions using Role-Based Access Control (RBAC), while Google Cloud's IAM allows tailored key access. In AWS, define granular policies through IAM roles. b) For on-premises setups, utilize dedicated hardware security modules (HSMs) to control key access. Implement Active Directory permissions to restrict user access to encryption keys based on roles and responsibilities.By combining least privilege with key segregation based on sensitivity and purpose, we can ensure optimal security both in the cloud and on-premises environments.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
6 Educate and train your staff
One of the biggest risks to your encryption keys is human error or negligence. You should educate and train your staff on the importance and the best practices of encryption key management. You should also establish clear and consistent policies and procedures for key management, and communicate them to your staff. You should also foster a culture of security awareness and accountability among your staff, and reward good behavior and report bad behavior.
Help others by sharing more (125 characters min.)
- Rohit Goel Senior Staff Security Engineer | Ex-VMware | CISSP | CCSP | AWS Security | CKS | HCVA * Views expressed are personal *
The staff needs to be educated to not commit keys, secrets , passwords or any other sensitive information in code repositories.-Pre-commit hooks should be configured to prevent this from happening- Platform teams should have regular scanning to report any instance of sensitive information found.- Developers should be trained on leveraging secret management tools like vaults/KMS/HSM.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Ali Amiri Senior Network Security Engineer @ Ip.Glass | Information Technology Master's
All organizations need a SETA program. This program should be based on the role of person who needs to be trained. I think the most important problem these days is the lack of such programs in an organization.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Abdulmuhaiminu Ademoh Enterprise Messaging Security Engineer at SLB | MSCE | CC | CISP
A holistic approach to encryption key management involves education, well-defined policies, a security-conscious culture, and appropriate incentives and consequences. By addressing human factors, organizations can significantly enhance their data protection measures and reduce the potential impact of human error on encryption key security.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
-
This is an essential step, but it also requires constant reinforcement and evaluation. The staff should not only have theoretical knowledge on encryption key management, but also gain practical skills by having regular tests and feedback. The staff should also be updated on any changes or developments in the field of encryption key management, and be motivated and engaged in learning more.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
7 Here’s what else to consider
This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?
Help others by sharing more (125 characters min.)
-
Implement automated security scanning tools to continuously monitor repositories for hard coded secrets and take appropriate action.Consider a key escrow mechanism for critical systems. This allows recovery of encrypted data if the original key is lost.Establish clear processes for Key Lifecycle Management - generation, distribution, usage, rotation, and eventual retirement.Anticipate the need for potential cryptographic algorithm changes in response to emerging threats.
LikeLike
Celebrate
Support
Love
Insightful
Funny
5
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Rita NG Cybersecurity and Technology Risk | CISA, CISSP, CCSP, CISM, ISO27001 LA, CBSP, CCSK
Securing Encryption Keys in TransitFor encryption keys to be usable by different parties, key exchange is inevitable. It is crucial to securely transmit encryption keys between parties without exposing it to potential eavesdroppers or attackers. This involves the use of cryptographic functions and encryption. Some common key exchange methods are Diffie-Hellman Key Exchange, Elliptic Curve Diffie-Hellman, RSA Key Exchange, Public Key Infrastructure, Pre-Shared Keys, Key Wrapping, Key Derivation Functions, Perfect Forward Secrecy.When selecting a key exchange method, it's important to consider factors such as security level required, computational efficiency, and the specific cryptographic algorithms employed.
LikeLike
Celebrate
Support
Love
Insightful
Funny
5
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Udhaya Prakash C Security Engineering
Implement KMS & Monitoring and alertsKey Management System (KMS): Utilize a dedicated KMS to centralize key management. KMS services offer features like key rotation, auditing, and access controls to restrict key usage.Implement real-time monitoring for key usage and set up alerts for suspicious or unauthorized activities.Apply the principle of least privilege, granting users the minimum level of access necessary to perform their tasks.
LikeLike
Celebrate
Support
Love
Insightful
Funny
4
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
- Christopher ANORUO Cyber Security Advisor and Enterprise IT Director
Micro Token Exchange (MTE) technology solution initially replaces any size of file or data element with a MicroToken that serves as a placeholder for the original data. The original data is encrypted and broken apart into many segments whether at rest or in transit. Let us first examine the concept of trust. Standard security protocols require that you have trust entities your organization does not control. You must trust the OS, you must trust the certificate authority, you must trust the network, you must trust the device the client is using, and the list goes on. By embedding data security within your application, the data can be secured as soon as it exists, and your application can be 100% in control of ensuring it is never exposed.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
-
One of the latest innovations in encryption key management is the concept of Bring Your Own Key (BYOK), which allows customers to generate and manage their own encryption keys for cloud services, rather than relying on the cloud provider’s keys. This gives customers more control and ownership over their data security and privacy, as well as the ability to revoke or rotate keys as needed. However, BYOK also comes with some challenges and responsibilities, such as ensuring the compatibility and interoperability of the keys across different cloud platforms, and maintaining the availability and backup of the keys in case of failure or disaster.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Load more contributions
Information Security
Information Security
+ Follow
Rate this article
We created this article with the help of AI. What do you think of it?
It’s great It’s not so great
Thanks for your feedback
Your feedback is private. Like or react to bring the conversation to your network.
Tell us more
Tell us why you didn’t like this article.
If you think something in this article goes against our Professional Community Policies, please let us know.
We appreciate you letting us know. Though we’re unable to respond directly, your feedback helps us improve this experience for everyone.
If you think this goes against our Professional Community Policies, please let us know.
More articles on Information Security
No more previous content
- How would you communicate a security breach to clients without causing panic? 5 contributions
- You're facing pushback from senior leadership on security risks. How do you persuade them to take action?
- Senior leadership is downplaying a security risk. Are you prepared to navigate the consequences?
- How do you ensure secure file sharing practices when collaborating with external partners remotely? 5 contributions
- Stakeholders demand performance over security. Can you protect sensitive data without compromising speed?
- Balancing security and convenience in IT-UX collaboration: Are you prepared to find the middle ground?
- Your organization faces a security breach. How can you respond without instilling fear or assigning blame? 13 contributions
- Your company's data is at risk with remote work. How can you protect it during transmission? 8 contributions
- You're tasked with optimizing system performance and security. How do you navigate budget limitations?
No more next content
Explore Other Skills
- IT Strategy
- Technical Support
- Cybersecurity
- IT Management
- Software Project Management
- IT Consulting
- IT Operations
- Search Engines
- Data Management
- Information Technology
More relevant reading
- Information Technology What's the best way to encrypt your data?
- Network Security How can you use network encryption to protect your business?
- Administrative Assistance What are the most effective ways to secure data when transferring it across borders?
- Cybersecurity How can you balance security and accessibility when managing encryption keys?